The Evils of Javascript

Published Oct 25, 2017Last updated Oct 26, 2017

Javascript is a popular turing complete language for front end web development despite some of its pitfalls. This will be a brief cover on some things to watch out for when programming in javascript.

Eval

The most notorious threat in JS is the eval function. Eval is Evil! This function 'evaluates' a string as JS code. Prior to the days of the JSON.parse function, there was just eval. Just imagine the fireworks if you had a site where there was user input, and the input was added to a JSON string and sent to a server where it was handled with eval, and you injected malicious JSON in your input. This may be a more extreme case that you might not see in the wild, but given you dont implement proper sanitation of strings going into eval, you could end up with XSS or SQLi vulns.

Unescape

This is probably an example of a fairly harmless function that I've seen abused in webkit. The unescape function decodes a string of escape sequences to their respective character values. I've used a webkit exploit once that relied on using a heap spray technique to run a payload. This payload was written in escape sequences and then unescape was used to translate it into bytes of code to be ran by webkit. After doing this it was a matter of gaining control of the program counter (PC) .. or EIP if you're on x86 architecture. Also its possible to use unescape to mask malicious code as an escape sequence and run it through eval to execute.
i.e

<script>eval(unescape('%61%6C%65%72%74%28%27%68%61%78%21%27%29'))</script>

would be the same as running

alert('hax!');

Pegasus

This one isnt really a fault of JS as a language but more so webkit, but I find it very interesting. Pegasus was a fairly well known jailbreak method for iOS. It relied on a webkit memory corruption exploit. In short, we were able to perform a use-after-free exploit to craft our own JS objects giving us basically userland access. I used this with the Nintendo Switch to control the webkit module and call a vulnerable IPC function allowing me to dump another process.

Conclusion

This was just off the top of my head but as you might see, JS can be real nasty. I tried not to go too much into detail since thats out of the scope of this post. This is mainly just to make people aware of some of the pitfalls of JS and maybe help people think outside the box while programming.

Discover and read more posts from Adam H.
get started
Enjoy this post?

Leave a like and comment for Adam